IN THE CLAIMS 

This listing of claims will replace all prior versions, and listings, of claims in the 
application: 
Listing of Claims: 

1 . (Currently Amended) A method for routing data packets for network flow analysis by a 
multi-processor system having a plurality of processors, comprising: 

receiving a data packet, the data packet comprising data sufficient to identify a 
network connection with which the data packet is associated; 

calculating a hash value based on said data sufficient to identify the network 
connection with which the data packet is associated; and 

assigning the data packet based on said hash value to one of said plurality of 
processors for analysis by using a number of bits of the hash value, wherein the number of bits 
used is not necessarily the total number of bits of the hash value and the number of bits used is 
determined at least in part by the number of processors included in said plurality of processors; 

wherein the data packet is assigned to said one of said plurality of processors by 
storings in a work queue associated with said one of said plurality of processor a pointer to a 
storage location in which data comprising the data packet is stored; and the processor is 
configured to read the pointer, use the pointer to read the data comprising the data packet directly 
from the storage location in which said data comprising the data packet is stored, use the data 
comprising the data packet to perform a network flow analysis with respect to a network flow 
with which the data packet is associated, and store in a return queue associated with the 
processor a data indicating that the processor is finished processing the data comprising the data 
packet; and wherein the data indicating that the processor is finished processing the data 
comprising the data packet is used to determine that the storage location is available to be used to 
store a subsequently received data comprising a subsequently received data packet ; and further 
comprising reading the pointer from the return queue and using the pointer read from the return 
queue to add the storage location to a free list of storage locations available to be assigned to a 
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network communication interface configured to receive the subsequently received data packet 
and to store said subsequently received data comprising the subsequently received data packet . 

2. (Original) The method of claim 1, wherein said data sufficient to identify the network 
connection with which the data packet is associated comprises address data. 

3. (Original) The method of claim 1, wherein said data sufficient to identify the network 
connection with which the data packet is associated comprises address data associated with a 
source computer that sent the data packet and address data associated with a destination 
computer to which the data packet is addressed. 

4. (Original) The method of claim 1 , wherein the data packet is sent using the TCP/IP suite 
of protocols and said data sufficient to identify the network connection with which the data 
packet is associated comprises an IP address and port number associated with the source 
computer that sent the data packet and an IP address and port number associated with the 
destination computer to which the data packet is addressed. 

5. (Previously Presented) The method of claim 1 5 the storage location comprises a location 
in a host memory associated with the multi-processor system. 

6. (Original) The method of claim 5, further comprising sending an interrupt message to a 
driver, the interrupt message comprising data identifying the storage location in host memory in 
which the data packet is stored. 

7. (Cancelled) 

8. (Cancelled) 

9. (Previously Presented) The method of claim 1 , wherein said work queue is a circular 
queue. 

10. (Original) The method of claim 1, further comprising associating the data packet with 
one or more other data packets associated with the same network connection with which the 
received data packet is associated to recreate a network flow associated with said network 
connection. 
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1 1 . (Original) The method of claim 10 5 further comprising analyzing the network flow to 
determine if any security-related event has occurred. 

12. (Original) The method of claim 1 1 5 wherein a security-related event is determined to 
have occurred if the network flow matches a pattern associated with a known attack. 

13. (Original) The method of claim 11, wherein a security-related event is determined to have 
occurred if the network flow deviates from normal and permissible behavior under the network 
protocol under which the data packet was sent. 

14. (Currently Amended) A computer program product for routing data packets for network 
flow analysis by a multi-processor system, the computer program product being embodied in a 
computer readable medium and comprising computer instructions for: 

receiving a data packet, the data packet comprising data sufficient to identify a 
network connection with which the data packet is associated; 

calculating a hash value based on said data sufficient to identify the network 
connection with which the data packet is associated; and 

assigning the data packet based on said hash value to a processor of said multi- 
processor system for analysis by using a number of bits of the hash value, wherein the number of 
bits used is not necessarily the total number of bits of the hash value and the number of bits used 
is determined at least in part by the number of processors included in said plurality of processors; 

wherein the data packet is assigned to said one of said plurality of processors by 
storings in a work queue associated with said one of said plurality of processors,, a pointer to a 
storage location in which data comprising the data packet is stored; and the processor is 
configured to read the pointer, use the pointer to read the data comprising the data packet directly 
from the storage location in which said data comprising the data packet is stored, use the data 
comprising the data packet to perform a network flow analysis with respect to a network flow 
with which the data packet is associated, and store in a return queue associated with the 
processor a data indicating that the processor is finished processing the data comprising the data 
packet; and wherein the data indicating that the processor is finished processing the data 
comprising the data packet is used to determine that the storage location is available to be used to 
store a subsequently received data comprising a subsequently received data packe t; and further 
comprising computer instructions for reading the pointer from the return queue and using the 

Application Serial No. 10/076,952 

Attorney Docket No. RECOP020 4 



pointer read from the return queue to add the storage location to a free list of storage locations 
available to be assigned to a network communication interface configured to receive the 
subsequently received data packet and to store said subsequently received data comprising the 
subsequently received data packet . 

15. (Currently Amended) A system for routing data packets for network flow analysis, 
comprising: 

a plurality of processors configured to perform network flow analysis; 
a network interface card configured to receive data packets via a network 
connection, each data packet comprising data sufficient to identify a network connection with 
which the data packet is associated; and 
- a driver configured to: 

calculate a hash value based on said data sufficient to identify the network 
connection with which the data packet is associated; and 

assign the data packet based on said hash value to one of said plurality of 
processors for analysis by using a number of bits of the hash value, wherein the number 
of bits used is not necessarily the total number of bits of the hash value and the number of 
bits used is determined at least in part by the number of processors included in said 
plurality of processors; 

wherein the data packet is assigned to said one of said plurality of processors by 
storings in a work queue associated with said one of said plurality of processors^ a pointer to a 
storage location in which data comprising the data packet is stored; and the processor is 
configured to read the pointer, use the pointer to read the data comprising the data packet directly 
from the storage location in which said data comprising the data packet is stored, use the data 
comprising the data packet to perform a network flow analysis with respect to a network flow 
with which the data packet is associated, and store in a return queue associated with the 
processor a data indicating that the processor is finished processing the data comprising the data 
packet; and wherein the data indicating that the processor is finished processing the data 
comprising the data packet is used to determine that the storage location is available to be used to 
store a subsequently received data comprising a subsequently received data packet ; and wherein 
the driver is farther configured to read the pointer from the return queue and use the pointer read 
from the return queue to add the storage location to a free list of storage locations available to be 
assigned to the network interface card . 
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16. (Previously Presented) The system of claim 1 5, wherein said data sufficient to identify 
the network connection with which the data packet is associated comprises address data. 

1 7. (Previously Presented) The system of claim 1 5, wherein said data sufficient to identify 
the network connection with which the data packet is associated comprises address data 
associated with a source computer that sent the data packet and address data associated with a 
destination computer to which the data packet is addressed. 

1 8. (Previously Presented) The system of claim 1 5, wherein the data packet is sent using the 
TCP/IP suite of protocols and said data sufficient to identify the network connection with which 
the data packet is associated comprises an IP address and port number associated with the source 
computer that sent the data packet and an IP address and port number associated with the 
destination computer to which the data packet is addressed. 

1 9. (Previously Presented) The system of claim 1 5 5 wherein the driver is further configured 
to associate the data packet with one or more other data packets associated with the same 
network connection with which the received data packet is associated to recreate a network flow 
associated with said network connection. 

20. (Previously Presented) The system of claim 19, wherein the driver is further configured 
to analyze the network flow to determine if any security-related event has occurred. 

21. (New) The system of claim 15, wherein each of at least a subset of processors comprising 
said plurality of processors is configured to perform concurrently two or more network flow 
analysis related tasks. 

22. (New) The method of claim 1, wherein each of at least a subset of processors comprising 
said plurality of processors is configured to perform concurrently two or more network flow 
analysis related tasks. 
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